In this paper, we explore mechanisms for defending against Distributed Denial of Service (DDoS) attacks, have become one of the major threats to the operation of the Internet today. We propose a novel scheme for detecting and preventing the most harmful and difficult to detect DDoS Attacks--those that use IP address spoofing to disguise the attack flow. Our scheme is based on a firewall that can distinguish the attack packets (containing spoofed source addresses) from the packets sent by legitimate users, and thus filters out most of the attack packets before they reach the victim. Unlike the other packet-marking based solutions, our scheme has a very low deployment cost; We estimate that an implementation of this scheme would require the cooperation of only about 20% of the Internet routers in the marking process. The scheme allows the firewall system to configure itself based on the normal traffic of a Web server, so that the occurrence of an attack can be quickly and precisely dete...